Are Trump and His Staff Using Unsecured Devices?

According to media reports, President Donald Trump's Android phone is unsecured, and chief advisers are using the RNC e-mail system.

On 25 January 2017, the New York Times reported a story about President Donald Trump’s transition from his private life to the White House after being sworn in on 20 January 2017. In that story, Times reporter Maggie Haberman made an observation that set technology writers fretting:

Mr. Trump’s wife, Melania, went back to New York on Sunday night with their 10-year-old son, Barron, and so Mr. Trump has the television — and his old, unsecured Android phone, to the protests of some of his aides — to keep him company. That was the case after 9 p.m. on Tuesday, when Mr. Trump appeared to be reacting to Bill O’Reilly’s show on Fox News, which was airing a feature on crime in Chicago.

The line in the above paragraph about the president’s “unsecured Android phone” caught the eye of Wired:

Even if you’re not a security expert, some potential dangers of keeping an insecure device in the White House probably come to mind right away. There’s a reason President Obama had to make do with a heavily modified BlackBerry for most of his time in office, and why security officials reportedly issued Trump a locked-down device when he took office. One that he apparently doesn’t always use. If Trump does use his old Android smartphone in his spare time—which recent @realDonaldTrump tweets sent from Android seems to support—he’s leaving himself exposed to all manner of unsavory outcomes…

The headlining concern around Trump using Android is that he’s likely not protected against phishing attacks or malware. All it takes is clicking on one malicious link or opening one untoward attachment—either of which can appear as though it were sent from a trusted source—to compromise the device. From there, the phone could be infected with malware that spies on the network the device is connected to, logs keystrokes, takes over the camera and microphone for surreptitious recording, and more.

The attack may not even be so direct. Many apps request permission to track a phone’s location for legitimate purposes, and a hacker could compromise one of these accounts to determine where the phone, and potentially Trump himself, is at any given time.

On 25 January 2017, Newsweek also reported that senior White House staffers, including Kellyanne Conway, Jared Kushner, Sean Spicer and Steve Bannon had active accounts on the Republican National Committee’s e-mail system:

The system (rnchq.org) is the same one the George W. Bush administration was accused of using to evade transparency rules after claiming to have “lost” 22 million emails.

Making use of separate political email accounts at the White House is not illegal. In fact, they serve a purpose by allowing staff to divide political conversations (say, arranging for the president to support a congressional re-election campaign) from actual White House work. Commingling politics and state business violates the Hatch Act, which restricts many executive branch employees from engaging in political activity on government time.

But after then-candidate Donald Trump and the Republicans repeatedly called for “locking up” Hillary Clinton for handling government work with a private server while secretary of state, the new White House staff risks repeating the same mistake that dogged the Democrat’s presidential campaign. They also face a security challenge: The RNC email system, according to U.S. intelligence, was hacked during the 2016 race. “They better be careful after making such a huge ruckus over the private email over at the State Department,” says former Bush administration lawyer Richard Painter.

The e-mails were deleted by the RNC after the Newsweek story was published, even though a spokesman told the publication the accounts were set up for distribution lists only and there was “nothing wrong” with having them. If Trump’s staffers were using the e-mail accounts for White House business, the contents become subject to disclosure laws.